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Abstract. We propose a simple global computing framework, whose main concern is 
code migration. Systems are structured in sites, and each site is divided into two parts: a 
computing body, and a membrane which regulates the interactions between the computing 
body and the external environment. More precisely, membranes are filters which control 
access to the associated site, and they also rely on the well-established notion of trust 
between sites. We develop a basic theory to express and enforce security policies via 
membranes. Initially, these only control the actions incoming agents intend to perform 
locally. We then adapt the basic theory to encompass more sophisticated policies, where 
the number of actions an agent wants to perform, and also their order, are considered. 



Computing is increasingly characterised by the global scale of applications and the 
ubiquity of interactions between mobile components. Among the main features of the forth- 
coming "global ubiquitous computing" paradigm we list distribution and location awarness, 
whereby code located at specific sites acts appropriately to local parameters and circum- 
stances, that is, it is "context-aware" ; mobility, whereby code is dispatched from site to site 
to increase flexibility and expressivity; openness, reflecting the nature of global networks 
and embodying the permeating hypothesis of localised, partial knowledge of the execution 
environment. Such systems present enormous difficulties, both technical and conceptual, 
and are currently more at the stage of exciting future prospectives than that of established 
of engineering practice. Two concerns, however, appear to clearly have a ever-reaching 
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import: security and mobility control, arising respectively from openness and from massive 
code and resource migrations. They are the focus of the present paper. 

We aim at classifying mobile components according to their behaviour, and at empow- 
ering sites with control capabilities which allow them to deny access to those agents whose 
behaviour does not conform to the site's policy. We see every site of a system 

k{M\}P] 

as an entity named k and structured in two layers: a computing body P, where programs 
run their code - possibly accessing local resources offered by the site - and a membrane M, 
which regulates the interactions between the computing body and the external environment. 
An agent P wishing to enter a site I must be verified by the membrane before it is given a 
chance to execute in I. If the preliminary check succeeds, the agent is allowed to execute, 
otherwise it is rejected. In other words, a membrane implements the policy each site wants 
to enforce locally, by ruling on the requests of access of the incoming agents. This can be 
easily expressed by a migration rule of the form: 

k{M k D goZ.P | Q] || Z[M Z D i?] — >■ k{M k ) Q ] \\ l{M l \/P\Rj if M l Y~ k P 

The relevant parts here are P, the agent wishing to migrate from k to I, and /, the receiving 
site, which needs to be satisfied that P's behaviour complies with its policy. The latter 
is expressed by Vs membrane, M . The judgement M \- k P represents I inspecting the 
incoming code to verify that it upholds M l . 

Observe that in the formulation above M l \- k P represents a runtime check of all 
incoming agents. Because of our fundamental assumption of openendedness, such kind of 
checks, undesirable as they might be, cannot be avoided. In order to reduce their impact on 
systems performance, and to make the runtime semantics as efficient as possible, we adopt 
a strategy which allows for efficient agent verification. Precisely, we adopt an elementary 
notion of trust, so that from the point of view of each I the set of sites is consistently 
partitioned between "good," "bad," and "unknown" sites. Then, in a situation like the 
one in the rule above, we assume that I will be willing to accept from a trusted site k a 
k-certified digest T of P's behaviour. We then modify the primitive go and the judgement 
\- k as in the refined migration rule: 

k{ M k D go T Z.P | Q ] || /[ M l D .R ] — > fc[ M k D Q ] || Z[M^P|P] if M l P 

The notable difference is in M hj P. Here, I verifies the entire code P against M only if 
it does not trust k, the signer of P's certificate T. Otherwise, it suffices for I to match M l 
against the digest T carried by go together with P from k, so effectively shifting work from 
I to the originator of P. 

Our main concern in this paper is to put the focus on the machinery a membrane should 
implement to enforce different kinds of policies. We first distill the simplest calculus which 
can conceivably convey our ideas and still support a non-trivial study. It is important to 
remark that we are abstracting from agents' local computations. These can be expressed 
in any of several well-known models for concurrency, for example CCS [Mil82| or the ir~ 
calculus [ Mil99j . We are concerned, instead, with agents' migration from site to site: our 
main language mechanism is go rather than intra-site (i.e. local) communication. Using this 
language, we examine four notions of policy and show how they can be enforced by using 
membranes. We start with an amusingly simple policy which only lists allowed actions. 
We then move to count action occurrences and then to policies expressed by deterministic 
finite automata. Note that such policies are only concerned with the behaviour of single 
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agents, and do not take into account " coalitional" behaviours, whereby incoming agents - 
apparently innocent - join clusters of resident agents - they too apparently innocent - to 
perform cooperatively potentially harmful actions, or at least overrule the host site's policy. 
We call resident those policies intended to be applied to the joint, composite behaviour of 
the agents contained at a site. We explore resident policies as our fourth and final notion of 
policy. In all the cases, the theory adapts smoothly; we only need to refine the information 
stored in the membrane and the inspection mechanisms. 

Structure of the paper. In Section [2] we define the calculus used in this paper, and start 
with the straightforward policy which only prescribes the actions an agent can perform 
when running in a site. In Section [31 we enhance the theory to control also how many (and 
not only which kind of) actions an agent wants to perform in a site, and their order of 
execution. Finally, in Section H] we extend the theory to control the overall computation 
taking place at a site, and not only the behaviour of single agents. The paper concludes in 
Section [5] where a comparison with related work is also given. The theoretical results are 
proved in Appendix[A} With respect to the extended abstract [GHS04] . this paper contains 
more examples together with complete proofs. 

2. A Simple Calculus 

In this section we describe a simple calculus for mobile agents, which may migrate 
between sites. Each site is guarded by a membrane, whose task is to ensure that every 
agent accepted at the site conforms to an entry policy. 

2.1. The Syntax. 

The syntax is given in Figure Q] and assumes two pairwise disjoint sets: basic agent 
actions Act, ranged over by a, b, c, • ■ ■ , and localities Loc, ranged over by I, k, h, ■ ■ ■ . Agents 
are constructed using the standard action-prefixing, parallel composition and replication 
operators from process calculi, [Mil82j . The one novel operator is that for migration, 

go T /.P 

This agent seeks to migrate to site I in order to execute the code P; moreover it promises 
to conform to the entry policy T. In practical terms this might consist of a certification 
that the incoming code P conforms to the policy T, which the site I has to decide whether 
or not to accept. In our framework, this certification is a policy that describes the (local) 
behaviour of the agent; thus, in gOj/.P, T will be called the digest of P. 

A system consists of a finite set of sites running in parallel. A site takes the form 

IfM^P] 

where 

• I is the site name 

• P is the code currently running at I 

• M is the membrane which implements the entry policy. 

For convenience we assume that site names are unique in systems. Thus, in a given system 
we can identify the membrane associated with the site named I by M l . We start with a 
very simple kind of policy which we will then progressively enhance. 
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Basic Actions a, b, c, ... £ Act 
Localities l,h,k,... € Loc 



Agents P,Q,R ::= nil nil agent 

a.P basic action 

gOj/.P migration 

P | Q composition 

IP replication 

Systems N ::= empty system 

| l\M\P\ site 

N\\\ N2 composition 



Figure 1: A Simple Calculus 



Definition 2.1 (Policies). A policy is a finite subset of Act U Loc. For two policies Ti 
and T2, we write 

T~i enforces T 2 

whenever Ti C T2. 

Intuitively an agent conforms to a policy T at a given site if 

• every action it performs at the site is contained in T 

• it will only migrate to sites whose names are in T. 

For example, conforming to the policy {info, req, home}, where info, req are actions 
and home a location, means that the only actions that will be performed are from the 
set {info, req} and migration will only occur, if at all, to the site HOME. With this 
interpretation of policies, our definition of the predicate enforces is also intuitive; if some 
code P conforms to the policy Ti and Ti enforces T2 then P also automatically conforms 
to T 2 . 

The purpose of membranes is to enforce such policies on incoming agents. In other 
words, at a site i[M|)Q] wishing to enforce a policy T; n , the membrane M has to decide when 
to allow entry to an agent such as go T l.P from another site. There are two possibilities. 

• The first is to syntactically check the code P against the policy Ti n ; an implementation 
would actually expect the agent to arrive with a proof of this fact, and this proof would 
be checked. 

• The second would be to trust the agent that its code P conforms to the stated T and 
therefore only check that this conforms to the entry policy Tj n . Assuming that checking 
one policy against another is more efficient than the code analysis, this would make entry 
formalities much easier. 

Deciding on when to apply the second possibility presupposes a trust management frame- 
work for systems, which is the topic of much current research. To simplify matters, here 
we simply assume that each site contains, as part of its membrane, a record of the level of 
trust it has in other sites. Moreover, we assume only three possible levels: bad, unknown 
and good. Intuitively, a site is good/bad if it behaves in a reliable/unreliable way, i.e. it 
does/doesn't properly calculate digests. On the other hand, a site tagged as unknown can 
behave in a non specified way; thus, for the sake of security, it will be considered as bad. 
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(r-act) l{M\/a.P\Qj -» l\M\P\Q\ 



(r-par) 
(r-struct) 



iVi || iV 2 -» JV( || N 2 
N = Ni Ni -» N[ N[ = N' 



N -» AT' 

(r-mig) fc[ M fe D go T Z.P | Q ] || i[ M l \ R ] -> 

fc[M*DQ] II l\M l )P\R\ if M l h^P 

Figure 2: The reduction relation 

Z[M^P | nil] = 1{M\)P] N\\0 = N 

l\M\,P\Q\ = l\M\,Q\P\ N X \\N 2 = N 2 \\N 1 

1{M\)(P\Q) | Rj = l[M\/P\ (Q\R)\ (Ni || JV 2 ) || N 3 = N 1 \\{N 2 \\N 3 ) 

l\M\\P\Q\ = l\M\P\\P\Q\ 

Figure 3: The structural equivalence 



In a more realistic scenario, it would be possible to refine unknown to either good or bad, 
upon collection of enough evidence to consider it reliable or not. For the sake of simplicity, 
we do not model this framework here. 

Definition 2.2 (Membranes). A membrane M is a pair (Mt, M p ) where 

• Mt is a partial function from LOC to {unknown, good, bad} 

• M p is a policy 



2.2. The Operational Semantics. 

Having defined both policies and membranes, we now give an operational semantics for 
the calculus, which formalises the above discussion on how to manage agent migration. This 
is given as a binary relation — > N' over systems; it is defined to be the least relation which 
satisfies the rules in Figure [2j Rule (r-act) says that the agent a.P running in parallel 
with other code in site I, such as Q, can perform the action a; note that the semantics does 
not record the occurrence of a. (r-par) and (r-struct) are standard. The first allows 
reductions within parallel components, while the second says that reductions are relative 
to a structural equivalence; the rules defining this equivalence are given in Figure [3j The 
interesting reduction rule is the last one, (r-mig), governing migration; the agent go T /.P 
can migrate from site k to site I provided the predicate M l hj P is true. This 'enabling' 
predicate formalises our discussion above on the role of the membrane M l , and requires in 
turn a notion of code P satisfying a policy T, 

hP:T 
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(tc-act) (tc-mig) 

(tc- empty) hP:T h P : V 

h nil : T ha.P:T ° G T h go T ,Z.P : T 1 G T 

(tc-repl) (tc-par) 

hP:T hP:T h Q : T 



h !P : T h P | Q : T 

Figure 4: Typechecking incoming agents 



With such a notion, we can then define M l hj P to be: 

if M l t (k) = good then (T enforces Mp ) else h P : Mp (2.1) 

In other words, if the target site I trusts the source site k, it trusts that the professed policy 
T is a faithful reflection of the behaviour of the incoming agent P, and then entry is gained 
provided that T enforces the entry policy Mp (i.e., in this case, T C Mp). Otherwise, if k 
can not be trusted, then the entire incoming code P has to be checked to ensure that it 
conforms to the entry policy, as expressed by the predicate h P : M p . 

In Figure H] we describe a simple inference system for checking that agents conform to 
policies, i.e. to infer judgements of the form h P : T. Rule (tc-empty) simply says that 
the empty agent nil satisfies all policies, (tc-act) is also straightforward; a.P satisfies a 
policy T and if a is allowed by T, and the residual P satisfies T. The rule (tc-par) says 
that to check P | Q it is sufficient to check P and Q separately, and similarly for replicated 
agents. The most interesting rule is (tc-mig), which checks go T //.P. This not only checks 
that migration to I is allowed by the policy, that is I £ T, but it also checks that the code to 
be spawned there, P, conforms to the associated professed policy T'. In some sense, if the 
agent go T /LP is allowed entry into a site k, then k assumes responsibility for any promises 
that it makes about conformance to policies. 

2.3. Safety. 

We have just outlined a reduction semantics in which sites seek to enforce policies either 
by directly checking the code of incoming agents against entry policies, or more simply by 
checking the professed policy of trusted agents. The extent to which this strategy works 
depends, not surprisingly, on the quality of a site's trust management. 

Example 2.3. Let home be a site name with the following trust function 

M t h : {ALICE, BOB, SECURE} h-> good. 

Consider the system 

N = home[ M h |) P h ] || bobJ M b D P b 1 || aliceJ M a |) P a ] || secureJ M s ) P s \ 

in which the entry policy of HOME, Mp , is {info, req, secure}, and that of SECURE, Mp, 
is {give, home}. Since M t (bob) = good, agents migrating from BOB to home are trusted 
and only their digests are checked against the entry policy Mp . So, if P b contains the agent 

go Ti HOME. (take. Q) 



SECURITY POLICIES AS MEMBRANES IN SYSTEMS FOR GLOBAL COMPUTING 



V 



where Tj enforces M p , then the entry policy of home will be transgressed. 

As another example, suppose ALICE, again trusted by home, contains the agent 

go Tl HOME, (inf o.go Ta SECURE, (take. Q)) 

where T2 is some policy which enforces the entry policy of SECURE, Mp. Again because 
Ti enforces Mp , the migration is allowed from ALICE to home, and moreover the incoming 
agent conforms to the policy demanded of HOME. The second migration of the agent is also 
successful if secure trusts home: M/(home) = good and therefore only the digest T2 is 
checked against the entry policy of SECURE. We then have the reduction 

N ->* home[. ..] || bob[...] II aliceJ. ..] || secureJ M s \ take.Q | P s ] 

in which now the entry policy of secure has been foiled. 

The problem in this example is that the trust knowledge of home is faulty; it trusts in 
sites which do not properly ensure that professed policies are enforced. Let us divide the 
sites into trustworthy and otherwise. This bipartition could be stored in an external record 
stating which nodes are trustworthy (i.e. typechecked) and which ones are not. However, 
for economy, we prefer to record this information in the membranes, by demanding that 
the trust knowledge at trustworthy sites is a proper reflection of this division. This is more 
easily defined if we assume the following ordering over trust levels: 

unknown <: bad and unknown <: good 

This reflects the intuitive idea that sites classified as unknown may, perhaps with further 
information, be subsequently classified either as good or bad. On the other hand, good or 
bad cannot be further refined; sites classified as either, will not be reclassified. 

Definition 2.4 (Trustworthy sites and Coherent systems). In a system N, the site k is 
trustworthy if Mj*(k) = good. N is coherent if M^(l) <: M\(l) for every trustworthy site k. 

Thus, if a trustworthy site k believes that a site I can be trusted (i.e., M^(l) = good), 
then I is indeed trustworthy (as represented by M\(l) = good). Similarly, if it believes I to 
be bad, then I is indeed bad. The only uncertainty is when k classifies I as unknown: then I 
may be either good or bad. Of course, in coherent systems we expect sites which have been 
classified as trustworthy to act in a trustworthy manner, which amounts to saying that code 
running at such a k must have at one time gained entry there by satisfying the entry policy. 
Note that by using policies as in Definition 12.14 if P satisfies an entry policy M p , then it 
continues to satisfy the policy while running at k (cf. Theorem 12.71 below) . 

This property of coherent systems, which we call well-formedness, can therefore be 
checked syntactically. In Figure O we give the set of rules for deriving the judgement 

h N : ok 

of well-formedness of N. There are only two interesting rules. Firstly, (wf-G.SITe) says that 
l{ M D P ] is well- formed whenever I is trustworthy and hP: M p . There is a subtlety here; 
this not only means that P conforms to the policy M p , but also that any digests proffered 
by agents in P can also be trusted. The second relevant rule is (wf-u.SITe), for typing 
unknown sites: here there is no need to check the resident code, as agents emigrating from 
such sites will not be trusted. 

Example 2.5. (Example \2.3\ continued.) Let us now re-examine the system N in Exam- 
ple 12.31 Suppose home is trustworthy, that is M/^home) = good. Then, if N is to be 
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(wf-g.site) 

(wf-empty) h P : M n 



hO:ok h Z[M D P] : ok 

(wf-par) (wf-u.site) 
h Ni : ok, I- N 2 : ok 



h iVi || iV 2 : ok h i[Af D Pj : ok 

Figure 5: Well- formed systems 



I trustworthy 



I not trustworthy 



(lts-repl) (lts-par) 

(LTS-ACT) (LTS-MIG) P \ \P A P' P l A P[ 

a.PAp go-rZ.PAnil IP A P' P x | P 2 A p] [ P 2 

P 2 | Pi A P 2 | P{ 

Figure 6: A Labelled Transition System 



coherent, it is necessary for each of the sites bob, Alice and SECURE also to be trustwor- 
thy. Consequently, N cannot be well-formed. For example, to derive h N : ok it would be 
necessary to derive 

h go Tl HOME.(take.Q) : Mp 
where Mp is the entry policy of bob. But this requires the judgement 

h take.Q : Ti 

where Ti enforces Mp. Since take Mp, this is not possible. 

One can also check that the code running at Alice stops the system from being well- 
formed. Establishing hiV:ok would also require the judgement 

h go Tl HOME. (info.go-p 2 SECURE. (take. Q)) : Mp 

which in turn, eventually, requires 

\- take.Q : T 2 

for some T 2 such that T 2 enforces M^; this is impossible, again because take is not in Mp. 

In well-formed systems we know that entry policies have been respected. So one way of 
demonstrating that our reduction strategy correctly enforces these policies is to prove that 

• system well-formedness is preserved by reduction 

• only legal computations take place within trustworthy sites 
The first requirement is straightforward to formalize: 

Theorem 2.6 (Subject Reduction). If h N : ok and N -> N' , then h N' : ok. 

Proof. See Appendix lA.il □ 
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To formalise the second requirement we need some notion of the computations of an 
agent. With this in mind, we first define a labelled transition system between agents, which 
details the immediate actions an agent can perform, and the residual of those actions. The 
rules for the judgements 

where we let a to range over ActU Loc, are given in Figure [H and are all straightforward. 
These judgements are then extended to 

where a ranges over (Act U Loc)*, in the standard manner: a = tx\, . . . , ctk, when there 
exists Pq, . . . , Pk such that P = Pq — > ... ^ P^ = P' . Finally, let act(cr) denote the set of 
all elements of Act U Loc occurring in a. 

Theorem 2.7 (Safety). Let N be a well-formed system. Then, for every trustworthy site 
i[M|P] in N, P A P' implies that act(cr) enforces M p . 

Proof. See Appendix lA.il □ 



3. Entry Policies 

The calculus of the previous section is based on a simple notion of entry policies, namely 
finite sets of actions and location names. An agent conforms to such a policy T at a site 
if it only executes actions in T before migrating to some location in T. However both the 
syntax and the semantics of the calculus are completely parametric on policies. All that is 
required of the collection of policies is 

• a binary relation Ti enforces T2 between them 

• a binary relation hP:T indicating that the code P conforms to the policy T. 

With any collection of policies, endowed with two such relations, we can define the predicate 
M hj P as in (|2.ip above, and thereby get a reduction semantics for the calculus. In this 
section we investigate two variations on the notion of entry policies and discuss the extent 
to which we can prove that the reduction strategy correctly implements them. 

3.1. Multisets as Entry Policies. The policies of the previous section only express the 
legal actions agents may perform at a site. However in many situations more restrictive 
policies are desirable. To clarify this point, consider the following example. 

Example 3.1. Let mail_serv be the site name of a mail server with the following entry 
policy M™ s : 

{list, send, retr, del, reset, quit} 

The server accepts client agents performing requests for listing mail messages, send- 
ing/retrieving/deleting messages, resetting the mailbox and quitting. Now, consider the 
system 

N = mail_serv[ M ms D P ms ] || spam[ M s |> go T MAiL_SERV.(!send) ] 
where T = {send}. According to the typechecking of Figure 01 we have that 

h ! send : M™ s 
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(tc-empty) 
h nil : T 



(tc-act) 
hP:T 



(tc-mig) 
hP:T' 



ha.P:Tu{a} 



h go v l.P : TU {1} 




hQ:T 2 



(tc-repl) 
hP:T 



T" enforces T' 



h P | Q : Ti U T 2 



h !P : T 



Figure 7: Typechecking with policies as Multisets 



However, the agent is a spamming virus and, in practical implementations, should be re- 
jected by MAIL_SERV. 

In such scenarios it would be more suitable for policies to be able to fix an upper-bound 
over the number of messages sent. This can be achieved in our setting by changing policies 
from sets of agent actions to multisets of actions. Consequently, predicate enforces is now 
multiset inclusion. 

First let us fix some notation. We can view a multiset as a set equipped with an 
occurrence function, that associates a natural number to each element of the set. To model 
permanent resources, we also allow the occurrence function to associate uj to an element 
with an infinite number of occurrences in the multiset. Notationally, e w stands for an 
element e occurring infinitely many times in a multiset. This notation is extended to sets 
and multisets; for any set/multiset E, we let E u to denote the multiset {e u : e £ E}. 

Example 3.2. (Example \3.1\ continued.) Coming back to Example 13 .1\ it would be suffi- 
cient to define M™ s to be {. . . , send^, . . .} where K is a reasonable constant. In this way, an 
agent can only send at most K messages in each session; if it wants to send more messages, 
it has to disconnect from mail_serv (i.e. leave it) and then reconnect again (i.e. immigrate 
again later on). In practice, this would prevent major spamming attacks, because the time 
spent for login/logout operations would radically slow down the spam propagation. 

The theory presented in Sections 12.21 and [2.31 can be adapted to the case where policies 
are multisets of actions. The judgment h P : T is redefined in Figure [3 where operator U 
stands for multiset union. The key rules are (tc-act), (tc-par) and (tc-repl). The first 
two properly decrease the type satisfied when typechecking sub-agents. The third one is 
needed because recursive agents can be, in general, freely unfolded; hence, the actions they 
intend to locally perform can be iterated arbitrarily many times. For instance, agent 



satisfies policy T = {send^}. Notice that the new policy satisfaction judgement prevents 
the spamming virus of Example 13.11 from typechecking against the policy of MAIL_SERV 
defined in Example 13.21 

The analysis of the previous section can also be repeated here but an appropriate 
notion of well-formed system is more difficult to formulate. The basic problem stems from 
the difference between entry policies and resident policies. The fact that all agents who 
have ever entered a site I respects an entry policy M p gives no guarantees as to whether the 
joint effect with the code currently occupying the site I also satisfies M p . For instance, in the 



P = ! send 



A 
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terms of Example l3.2l mail_SERV ensures that each incoming agent can only send at most K 
messages. Nevertheless, two such agents, having gained entry and now running concurrently 
at mail_serv, can legally send - jointly - up to 2K messages. It is therefore necessary to 
formulate well-formedness in terms of the individual threads of the code currently executing 
at a site. Let us say P is a thread if it is not of the form Pi | Pj- Note that every agent P can 
be written in the form of P\ \ . . . \P n , n > 1, where each Pj is a thread. So the well-formedness 
judgment is modified by replacing rule (wf-G.SITe) in Figure [5] as below. 

(\VF-G.SITEm) 

Vi . (P a thread and h P : M p ) 

I trustworthy 



h/[M^P 1 |...|P n ] :ok 

Theorem 3.3 (Subject Reduction for multiset policies). // h N : ok and N — > N' , then 
h N' : ok. 

Proof. Similar to that of Theorem 12. 61 The necessary changes are outlined in Appendix lA.2l 

□ 

The statement of safety must be changed to reflect the focus on individual threads 
rather than agents. Moreover, we must keep into account also multiple occurrences of 
actions in a trace; thus, we let act (a) return a multiset formed by all the actions occurring 
in a. 

Theorem 3.4 (Safety for multiset policies). Let N be a well-formed system. Then, for 
every trustworthy site If M |) P\ \ . . . \P n ] in N, where each Pi is a thread, Pi — > P- implies 
that act(er) enforces M p . 

Proof. See Appendix IA.21 □ 



3.2. Finite Automata as Entry Policies. A second limitation of the setting presented 
in Section [2] is that policies will sometimes need to prescribe a precise order for executing 
legal actions. This is very common in client /server interactions, where a precise protocol 
(i.e. a pattern of message exchange) must be respected. To this end we define policies as 
deterministic finite automata (DFAs, for short). 

Example 3.5. Let us consider Example 13.11 again . Usually, mail servers requires a prelim- 
inary authentication phase to give access to mail services. To express this fact, we could 
implement the entry policy of mail_serv, Mp" 5 , to be the automaton associated to the 
regular expression below. 

usr.pwd.(list + send + retr + del + reset)*. quit 

The server accepts client requests only upon authentication, via a username/password mech- 
anism. Moreover, the policy imposes that each session is regularly committed by requiring 
that each sequence of actions is terminated by quit. This could be needed to save the 
status of the transaction and avoid inconsistencies. 

We now give the formal definitions needed to adapt the theory developed in Section [2j 
We start by defining a DFA, the language associated to it, the enforces predicate between 
DFAs and a way for an agent to satisfy a DFA. As usual [HU79] . a DFA is a quintuple 

A = (S, S, sq, F, S) where 
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• S is a finite set of states; 

• S is the input alphabet; 

• so E S is a reserved state, called the starting state; 

• C F C 5 is the set of final states (also called accepting states); 

• 5 : S 1 x £ ^ S is the transition relation. 

In our framework, the alphabet of the DFAs considered is a finite subset of Act U Loc. 
Moreover, for the sake of simplicity, we shall always assume that the DFAs in this paper 
are minimal. 

Definition 3.6 (DFA Acceptance and Enforcement). Let A be a DFA. Then 

• Acp s (A) contains all the a G X* such that a leads A from state s to a final state; 

• Acp(A) is defined to be Acp SQ (A); 

• Ai enforces A2 holds true whenever ^4cp(Ai) C Acp{A2). 

Notice that, as expected, there is an efficient way to extablish Ai enforces A2, once 
given the automata Ai and A2 (see Proposition IA.2I in Appendix IA.3j) . We now formally 
describe the language associated to an agent by exploiting the notion of concurrent regular 
expressions (CRE, for short) introduced in [GR92| to model concurrent processes. For our 
purposes, the following subset of CRE suffices: 

e ::= e J a e-x-e.2 | ei 0e2 j 

e denotes the empty sequence of characters, a ranges over Act U Loc, '.' denotes con- 
catenation, is the interleaving (or shuffle) operator and ® is its closure. Intuitively, if e 
represents the language L, then e® represents {e} ULULqLULqLQL.... Given a CRE 
e, the language associated to it, written lang(e), can be easily defined; a formal definition 
is recalled in Appendix IA.31 Now, given a process P, we easily define a CRE associated to 
it. Formally 

CRE(nil) = e CRE(a.P) = a.CRE(P) 

CRE(go A Z.P) = I CRE(Pi|P 2 ) = CRE(Pi) ©CRE(P 2 ) 

CRE(!P) = CRE(P)® 

Definition 3.7 (DFA Satisfaction). An agent P satisfies the DFA A, written h P : A, if 
Zang(CRE(P)) C Acp(A), and h Q : A' holds for every subagent of P of the form go A //.Q. 

In Proposition IA.21 we prove that DFA satisfaction is decidable, although extremely 
hard to establish. This substantiate our hypothesis that verifying digests is preferable to 
inspecting the full code from the point of view computational complexity. We are now 
ready to state the soundness of this variation. It simply consists in finding a proper notion 
of well-formed systems. As in Section 13.11 the entry policy can only express properties 
of single threads, instead of coalitions of threads hosted at a site. Thus, we modifiy rule 
(wf-G.SITe) from Figure [5] to: 



(wf-g.sitea) 

Vi . Pi a thread and 3s G S . lang(CRE(Pi)) C Acp s (M p ) 



I trustworthy 



\-l[M)P x \...\P n ] :ok 

This essentially requires that the languages associated to each of the threads in I are suffixes 
of words accepted by M p (cf. Theorem 13.91 below). Since this may appear quite weak, it is 
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worth remarking that the well-formedness predicate is just a 'consistency' check, a way to 
express that the agent is in a state from where it will respect the policy of I. The soundness 
theorems are reported below and are proved in Appendix IA.31 

Theorem 3.8 (Subject Reduction for automata policies). If\~N:ok and N — » N' , then 
h N' : ok. 

Theorem 3.9 (Safety for automata policies). Let N be a well-formed system. Then, for 
every trustworthy site Z[M|)Pi| . . . \P n J in N, where each Pi is a thread, a G lang(CRE(Pi)) 
implies that there exists some a' € Acp(M p ) such that a' = a" a , for some a" . 

We conclude this section with two interesting properties enforceable by using automata. 

Example 3.10 (Lock/Unlock). We have two actions, lock and unlock, with the constraint 
that each lock must be always followed by an unlock. Let Si = £ — {lock} and S u = 
£ — {lock, unlock}. Thus, the desired policy (written using a regular expression formalism) 
is 

(S*.(lock.S;.unlock)*)* 

Example 3.11 (Secrecy). Let secret be a secret action; we require that, whenever an 
agent performs secret, it cannot migrate anymore (this policy enforces that agents having 
performed secret always remain co-located). Let S s = £ — {secret} and £ g = £ — Loc; 
thus, the desired policy is 

£*.(e + secret.£*) 

4. Resident Policies 

Here we change the intended interpretation of policies. In the previous section a policy 
dictated the proposed behaviour of an agent prior to execution in a site, at the point of 
entry. This implied that safety in well-formed systems was a thread-wise property (see rules 
(wf-G.SITEm) and (wf-g.SITEa))- Here we focus on policies which are intended to describe 
the permitted (coalitional) behaviour of agents during execution at a site. Nevertheless 
these resident policies are still used to determine whether a new agent is allowed access to 
the site in question; entry will only be permitted if the addition of this incoming agent to 
the code currently executing at the site does not violate the policy. 

Let us consider an example to illustrate the difference between entry and resident 
policies. 

Example 4.1. Let licence_serv be the site name of a server that makes available K 
licences to download and install a software product. The distribution policy is based on a 
queue: the first K agents landing in the site are granted the licence, the following ones are 

denied. The policy of the server should be Mp = {get_licence^}. However if this policy 
is interpreted as an entry policy, applying the theory of Section \'6.1\ then the system grants 
at most K licences to each incoming agent. Moreover this situation continues indefinitely, 
effectively handing out licences to all incoming agents. 

We wish to re-interpret the policies of the previous section as resident policies and here 
we outline two different schemes for enforcing such policies. For simplicity we confine our 
attention to one kind of policy, that of multisets. 
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4.1. Static membranes. 

Our first scheme is conservative in the sense that many of the concepts developed 
in Section 13.11 for entry policies can be redeployed. Let us reconsider rule (r-mig) from 
Figure [2j There, the membrane M l only takes into consideration the incoming code P, and 
its digest T, when deciding on entry, via the predicate M l hy P. But if the membrane is to 
enforce a resident policy, then it must also take into account the contribution of the code 
already running in I, namely R. To do so we need a mechanism for joining policies, such as 
those of the incoming P and the resident R in rule (r-mig). So let us assume that the set 
of policies, with the relation enforces is a partial order in which every pair of elements Ti 
and T2 has a least upper bound, denoted Ti U T2. For multiset policies this is the case as U 
is simply multiset union. In addition we need to be able to calculate the (minimal) policy 
which a process R satisfies; let us denote this as po\(R). For multiset policies we can adjust 
the rules in Figure essentially by eliminating weakening, to perform this calculation; the 
resulting rules are given in Figure [HJ with judgements of the form lh P : T. 

Lemma 4.2. 

• For every P, there is at most one T such that lh P : T. 

• h P : T implies that there exists some policy T' such that T' enforces T and lh P : T'. 

Proof. The first statement is proved by structural induction on P; the second by induction 
on the derivation hP:T. □ 

Definition 4.3. Define the partial function pol(-) by letting pol(P) be the unique policy 
such that lh P : T, if it exists. 

With these extra concepts we can now change rule (r-mig) in Figure [2] to take the 
current resident code into account. It is sufficient to change the side condition, from M l h T 
P to M l ,R hy P, where this latter is defined to be 

if M\(k) = good then (TU po\{R)) enforces Mp else h P \ R : Mp 

Here if only the digest needs to be checked then we compare TU pol(-R), that is the result 
of adding the digest to the policy of the resident code R, against the resident policy Mp. 
On the other hand if the source site is untrusted we then need to analyse the incoming 
code in parallel with the resident code R. It should be clear that the theory developed in 
Section [3J] is readily adapted to this revised reduction semantics. In particular the Subject 
Reduction and Safety theorems remain true; we spare the reader the details. However it 
should also be clear that this approach to enforcing resident policies has serious practical 
drawbacks. An implementation would need to: 

(1) freeze and retrieve the current content of the site, namely the agent R; 

(2) calculate the minimal policy satisfied by R to be merged with P's digest in order to 
check the predicate enforces , or typecheck the composed agent P \ R; 

(3) reactivate R and, according to the result of the checking phase, activate P. 

Even if the language were equipped with a 'passivation' operator, as in [SS03], the overall 
operation would still be computationally very intensive. Consequently we suggest below 
another approach. 
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(ti-act) (ti-mig) 
(ti- empty) Ih P : T Ih P : T 



lh nil : Ih a.P : T U {a} Ih go T /.P : {1} 

(ti-repl) (ti-par) 

Ih P : T Ih P : Ti Ih Q : T 2 



T' enforces T 



lh!P:T w lhP|Q:TiUT 2 

Figure 8: Type inference for agents with policies as multisets 



4.2. Dynamic membranes. 

In the previous approach we have to repeatedly calculate the policy of the current resi- 
dent code each time a new agent requests entry. Here we allow the policy in the membrane 
to "decrease" in order to reflect the resources already allocated to the resident code. So at 
any particular moment in time the policy currently in the membrane records what resources 
remain, for any future agents who may wish to enter; with the entry of each agent there 
is a corresponding decrease in the membrane's policy. Formally we need to change the 
migration rule rule (r-mig) to one which not only checks incoming code, or digest, against 
the membrane's policy, but also updates the membrane: 

(r-MIG') k\M k I) go T Z.P | Q\ || l{M l )R\ -» 

k{M k )Q\ || l\ M l \) P\R ] if M l h\PyM l 

where the judgement M l hj P y M l is defined as 

letT' = (T ifMi(fe)=good|. n renforces 

[ •po\\P) otherwise j 

Mp a Mp = Mp U T' A Ml = Ml 

First notice that if this migration occurs then the membrane at the target site changes, from 
Mp to Mp. The latter is obtained from the former by eliminating those resources allocated 
to the incoming code P. If the source site, k, is deemed to be good this is calculated via 
the incoming digest T; otherwise a direct analysis of the code P is required, to calculate 
pol(P). 

This revised schema is more reasonable from an implementation point of view, but its 
soundness is more difficult to formalise and prove. As a computation proceeds no permanent 
record is kept in the system of the original resident policies at the individual sites. Therefore 
well-formedness can only be defined relative to an external record of what the resident 
policies were, when the system was initiated. For this purpose we use a function 0, mapping 
trustworthy sites to policies; it is sufficient to record the original polices at these sites as we 
are not interested in the behaviour elsewhere. 

Then we can define the notion of well-formed systems, relative to such a 0; this is 
written as G h N : ok and the formal definition is given in Table [9j The crucial rule is 
(wf-G.SITE), for trustworthy sites. If I is such a site then Z| M |) P ] is well- formed relative 
to the original record if MpU pol(P) guarantees the original resident policy at I, namely 

e(z). 
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(wf-g.site) 

I trustworthy (wf-empty) 



9 h l{ M D P ] : ok (pol(P) U Mp) enforces 6(0 h : ok 

(wf-u.site) (wf-par) 

6hJVi: ok, 9 h N 2 : ok 

I not trustworthy 



9 h l\M h Pj : ok J 9 h iVi || N 2 : ok 



Figure 9: Well-formed systems under 



Theorem 4.4 (Subject Reduction for resident policies). If h N : ok and A" — > A 7 , i/ien 
h N' : ok. 

Proof. Outlined in Appendix IA.4I □ 

The introduction of these external records of the original resident policies also enables 
us to give a Safety result. 

Theorem 4.5 (Safety for resident policies). Let N be a well-formed system w.r.t. 0. Then, 
for every trustworthy site l\M D Pj in N, P — > P' implies that act(cr) enforces Q(l). 

Proof. See Appendix I A. 41 □ 



5. Conclusion and Related Work 

We have presented a framework to describe distributed computations of systems involv- 
ing migrating agents. The activity of agents entering/running in 'good' sites is constrained 
by a membrane that implements the layer dedicated to the security of the site. We have 
described how membranes can enforce several interesting kind of policies. The basic theory 
presented for the simpler case has been refined and tuned throughout the paper to increase 
the expressiveness of the framework. Clearly, any other kind of behavioural specification of 
an agent can be considered a policy. For example, a promising direction could be considering 
logical frameworks (by exploiting model checking or proof checkers). 

The calculus we have presented is very basic: it is even simpler than CCS [Mil82| . as 
no synchronization can occur. Clearly, we did not aim at Turing-completeness, but at a 
very basic framework in which to focus on the role of membranes. We conjecture that, by 
suitably advancing the theory presented here, all the ideas can be lifted to more complex 
calculi (including, e.g., synchronization, value passing and/or name restriction). 

Related Work. In the last decade, several calculi for distributed systems with code 
mobility have appeared in literature. In particular, structuring a system as a (flat or 
hierarchical) collection of named sites introduced the possibility of dealing with sophisticated 
concrete features. For example, sites can be considered as the unity of failure |FG+96[ 
lAmaOOj . mobility IFG+961 ICG00] or access control [HB021 IRH031 EES) . The present 
work can be seen as a contribution to the last research line. 

As in [GP03], we have presented a scenario where membranes can evolve. However, 
the membranes presented in Section |4] only describe 'what is left' in the site. On the other 
hand, the (dynamically evolving) type of a site in |GP03| always constrains the overall 
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behaviour of agents in the site and it is modified upon acquisition/loss of privileges through 
computations. 

We borrowed from [RH03J the notion of trust between sites, where agents coming from 
trusted sites are accepted without any control. Here, we relaxed this choice by examining 
the digest of agents coming from trusted sites. Moreover, we have a fixed net of trust; we 
believe that, once communication is added to our basic framework, the richer scenario of 
[RH03] (where the partial knowledge of a site can evolve during its computation) can be 
recovered. 

A related paper is [IKOlj . where authors develop a generic type system that can be 
smoothly instantiated to enforce several properties of the 7r-calculus (dealing with arity 
mismatch in communications, deadlock, race control and linearity). They work with one 
kind of type, and modify the subtyping relation in order to yield several relevant notions of 
safety. The main difference with our approach is that we have different kind of types (and, 
thus, different type checking mechanisms) for all the variations we propose. It would be 
nice to lift our work to a more general framework closer to theirs; we leave this for future 
work. 

Our work is also related to [NR05J. Policies are described there as deterministic finite 
automata and constrain the access to critical sections in a concurrent functional language. 
A type and effect system is provided that guarantees adherence of systems to the policy. In 
particular, the sequential behaviour of each thread is guaranteed to respect the policy, and 
the interleavings of the threads' locks to be safe. But unlike our paper [NR05J has no code 
migration, and no explicit distribution; thus, only one centralised policy is used. 

Membranes as filters between the computing body of a site and the external environ- 
ment are also considered in [FMP04| IBou04l ISS03] . There, membranes are computationally 
capable objects, and can be considered as a kind of process. They can evolve and com- 
municate both with the outer and with the inner part of the associated node, in order to 
regulate the life of the node. This differs from our conception of membranes as simple tools 
for the verification of incoming agents. 

To conclude, we remark that our understanding of membranes is radically different from 
the concept of policies in [ES99J . Indeed, in loc. tit., security automata control the execution 
of agents running in a site by in-lined monitoring. This technique consists of accepting 
incoming code unconditionally, but blocking at runtime those actions not abiding the site 
policy. Clearly, in order to implement the strategy, the execution of each action must be 
filtered by the policy. This contrasts with our approach, where membranes are 'containers' 
that regulate the interactions between sites and their environments. The computation 
taking place within the site is out of the control of the membrane, which therefore cannot 
rely on in-lined monitoring. 
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Appendix A. Technical Proofs 
We now outline the proofs of the technical results in the paper, section by section. 

A.l. Proofs of Section [2j 



Lemma A.l (Subsumption). If\-P:T and T enforces T', then h P : T'. 
Proof. By induction on the derivation of the judgment hP:T. 



□ 
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Proof of Theorem 12.61 [Subject Reduction]: The proof is by induction over the in- 
ference of N — > N' . Notice that trustworthiness is invariant under reduction. Therefore 
coherence, which is defined in terms of the trustworthiness of sites, is also preserved by 
reduction. 

We outline the proof when the inference is deduced using rule (r-mig), a typical exam- 
ple. By hypothesis, h k{ M k |) go T /.P | Q ] : ok; this implies that h k\ M k |) Q ] : ok. Thus, 
we only need to prove that h l\ M l \ R ] : ok and M l Y-\ P imply h l[ M l D P \ R ] : ok. We 
have two possible situations: 

I trustworthy: Judgment h R : Mp holds by hypothesis; judgment h P : Mp is implied 
by M l hj P. Indeed, because of the coherence hypothesis, M\(k) <: M k {k). If M k {k) ^ 
good, then M l hj P is exactly the required h P : Mp. Otherwise, we know that h go T /.P : 
Mp ; by rule (tc-mig) this implies that hP:T. Judgment h P : Mp is obtained by using 
Lemma IA.1[ since M l P is defined to be T enf orces M p (see (|2.ip in Section [2.2p . 
Thus, by using (tc-par), we obtain the desired \- P\R : M l p . 

I not trustworthy: This case is simple, because rule (wf-u.SITe) always allows to derive 
h l\M l |) P|i2] : ok. 

The case when (r-act) is used is similar, although simpler, and the case when rule (r-par) is 
used requires a simple inductive argument. Finally to prove the case when rule (r-STRUCt) 
is used, we need to know that coherency of systems is preserved by structual equivalence; 
the proof of this fact, which is straightforward, is left to the reader. □ 

Proof of Theorem [Ml [Safety]: Let l{ M P J be a site in N such that P A P' . We 
have to prove that act(cr) enforces M p . The statement is proved by induction over the 
length of a. The base case, when a = e, is trivial since act(e) = 0. 

So we may assume a = aa' and P A P" ^ P'. Let us consider P P"; by induction 
on A , we can prove that a G M p and that h Z[ M D P" ] : ok. If the transition has been 
inferred by using rule (lts-act), then P = a.P" and, by rule (wf-G.SITe), we have that h 
a.P" : M p ; by definition of rule (tc-act), we have the desired a G M p and h P" : M p . When 
(lts-mig) is used the argument is similar, and all other cases follow in a straightforward 
manner by induction. 

Thus, we can now apply induction on the number of actions performed in P" — > P' 
and obtain that act(cr') enforces M p . This sufficies to conclude that act(cr) = (act(cr') U 
{a}) enforces M p . □ 

A.2. Proofs of Section [3711 

The proofs given in Appendix IA.1I can be easily adapted to the setting in which entry 
policies are multisets. We outline only the main changes. First recall that enforces 
is multiset inclusion, that judgments h P : T must be now inferred by using the rules in 
Figure[7]and that rule (wf-G.SITEm) is used for well-formedness. Then, Lemma [A . 1 1 remains 
true in this revised setting. 
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Proof of Theorem 13.31 [Subject Reduction] : A straightforward adaptation of the cor- 
responding proof in the previous section. The only significant change is to the case when a 
replication is unfolded via the rule (r-STRUCt), i.e. 

N = l\M\ilP\Q] = 1{M\)P \IP\Q]->N" = N' 

By hypothesis, h IP : M p ; therefore, by definition of rule (tc-REPl), we have that h P : T 
for some T such that T w enforces M p . Since T enforces T u and because of Lemma |A.1( 
we have that h l \ M D P \ IP \ QJ : ok. By induction, h N" : ok. It is easy to prove that 
this sufficies to obtain the desired h N' : ok. □ 

Proof of Theorem 13.41 [Safety]: From the rule (wf-G.SITEm) we know that h Pi : M p , 
for all i = 1, . . . , n. We now proceed by induction over \o~\. The base case is trivial. For 

the inductive case, we consider a = aa' and Pi A ff P[. By induction on -> , we can 
prove that a £ M p and that h Z[ Mj; M p — {a} D P" ]. If the transition has been inferred by 
using rule (lts-act), then Pi = a.P" and, by rule (wf-G.SITE M ), we have that h a.P" : M p ; 
by definition of rule (to act), we have the desired M p = T U {a} and h P" : T. When 
(lts-mig) is used the case is simpler, and all other cases follow in a straightforward manner 
by induction. 

Coming back to the main claim, we use the induction and obtain that act(o"') enforces 
M p — {a}; thus, act(cr) enforces M p . □ 



A.3. Proofs of Section EOl 

We start by recalling from [GR92J the formal definition of the language associated to a 
CRE, as follows. 

lang(e) = {e} 

lang(a) = {a} 

lang{e\.e2) = {x\X2 ■ x± S lang(e\) A X2 € lang(e2)} 

lang(e 1 Qe 2 ) = {x\y\ - ■ ■ x n y n : x\ ■ ■ ■ x n € lang[e{) A yi ■ ■ -y n G lang{e 2 )} 

'-n 3 (e-) ± U^tawW" where V ± { % t Q £ 

Notice that the definition of the lang{e% e 2 ) hides a trick: the XiS and the yiS can also be 
e. Thus, as expected, we can also consider for interleaving strings of different length. 

We start by accounting on the complexity of predicate enforces and the satisfiability 
relation when policies are automata. This is stated by the following Proposition. 

Proposition A. 2. 

(1) Ai enforces A2 can be calculated in polynomial time 

(2) h P : A is decidable, but it is super- exponential 
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Proof. 

(1) Let Aj = (Si, £, Sq, Fi,Si) and let Li = Acp(Ai). By definition, we have to check whether 
L\ Q L% or not. This is equivalent to check whether L\ D L2 = 0. The following steps 
have been carried out by following [HU79]. 

(a) calculate the automaton associated to L2. This can be done in 0(152 1) and the 
resulting automaton has IS2I states. 

(b) calculate the automaton associated to L\ (IL2. This can be done in 0(|5i| x jS^I x 
|E|) and creates an automaton A with \Si\ x IS2I states. 

(c) Checking the emptyness of L\ n L2 can be done by using a breath-first search that 
starts from the starting state of (the graph underlying) A and stops whenever a 
final state is reached. If no final state is reached, L\ D L2 is empty. This can be 
done in 0(\Si\ x \S 2 \ x |S|). 

Thus, the overall complexity is 0(|5i| x IS2I x |S|). 

(2) It has been proved in [GR92J that each CRE e can be represented by a (labelled) Petri 
net, in that the language accepted by the Petri net is lang(e). Now, we can easily 
construct a DFA accepting the complement of the language accepted by A (see item (a) 
of the previous proof). Now, we can construct the product between this DFA (that can 
be seen as a Petri net) and the Petri net associated to CRE(P); this Petri net accepts 
lang(C 'RE(P)) n Acp(A) (see [Pet81| ). Now, the emptyness of this language can be 
solved with the algorithm for the reachability problem in the corresponding Petri net. 
This problem has been proved decidable May84] and solvable in double-exponential 
time |Bou98| . □ 

We now prove the subject reduction theorem in the setting where types are DFAs. To 
this aim, we need to adapt Lemma |A. II and we need a very simple result on the languages 
associated to DFAs and processes. 

Lemma A.3. If\-P:A and A enforces A', then h P : A'. 

Proof. By transitivity of subset inclusion. □ 

Lemma A. 4. 

(1) aa £ Acp s (A) if and only if a £ Acps( St0t ) (A) 

(2) If a £ lang(CRE(a.P)) then a = aa' for a' G lang(CRE(P)). Viceversa, if a £ 
lang{CRE(P)), then aa £ lang(CRE(a.P)). 

Proof. Trivial. □ 



Proof of Theorem 13.31 [Subject Reduction]: Now hiV:ok relies on rule (wf-g.SITEa). 
Again, the proof is by induction on the inference of — > N'. We only give the base cases, 
because inductive steps can be handled with in a standard way. We only consider the cases 
of trustworthy sites; the case for non-trustworthy sites is easier. In what follows, we write 
\- s P : A to mean that h P : A', where A' is the DFA obtained from A by setting s as 
starting state. 

(r-act) In this case, N = l{ M \) a.P \ Q ]. By definition of rule (wf-g.SITEa), it holds 
that Q = Qi\--.\Qk (for Qi threads), 3s. h s a.P : M p and Vi.Bsj. \- Si Qi : M p . 
By definition, we have that lang(CRE(a.P)) C Acp s (M p ); by Lemma IA.41 we have 
that lang(CRE(P)) C Acps( s a )(M p ). This sufficies to infer the well-formedness of 
N' = l\M\,P\ QI 
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(r-mig) In this case, N = fc[ M k |) go A Z.P | Q] \\ l\M l ) R] and M l Y-\ P. We further 
identify two sub-cases: 

• M l (k) = good. In this case, because of coherence, we know that hP:A. Moreover, 
by definition of M l h^ P, it holds that A enforces Mp. By Lemma |A.3|, we have 
that hP: Mp. This sufficies to conclude. 

• M l {k) 7^ good. This case is simpler because M l h A P is defined to be h P : Mp. □ 

Proof of Theorem 13.91 [Safety]: The proof is quite easy. Indeed, by rule (wf-g.SITEa), 
it holds that 3si : h s . Pj : Mp. By definition, this implies that every a E lang(C RE(Pi)) is 
in Acp Si (Mp). Since the automaton Mp is minimal, Sj is a reachable state from the starting 
state so, say, with a (finite) string a". Then, by Definition 13.61 and by Lemma IA.41 1. it 
holds that a" a G Acp(M l p ). This proves the thesis. □ 

A.4. Proofs of Section ffl 

We show here the main things to modify to carry out the proofs given in Appendix IA.21 
Obviously, judgment hP:T must be now replaced everywhere with lh P : T and, similarly, 
hAf :ok becomes h JV : ok. 

Proof of Theorem 14.41 [Subject Reduction]: The proof is by induction over the infer- 
ence of N — » N'. Inductive steps are simple; we only give the base steps. 

(r- act) By hypothesis, 6 h I J M |) a.P \ Q ] : ok. If I is not trustworthy, the case is trivial. 
Otherwise, we know by hypothesis that (pol(a.P | Q) U M p ) enforces 0(1). Now, by 
definition of judgment lh (and hence of function pol(-)) we have that pol(o.P | Q) = 
po\(P | Q) U {a}. Hence, (pol(P | Q) U M p ) enforces ©(/), as required. 
(r-mig) By hypothesis, O h l\ M l |) R ] : ok; we only consider the case in which I is 
trustworthy. Thus, we know that (pol(i?) U Mp) enforces ©(/). By the premise of rule 
(r-mig), it holds that M l \-\ P >- M l . We have two possible situations: 
M l t {k) = good: In this case, M l V~\ P >- M l is defined to be T enforces M p A M p = 
M^UT A Ml = M\. The fact that M\ = M\ is sufficient to preserve coherence. 
Moreover, by rule (ti-MIG), we know that lh P : T' and T' enforces T. By rule 
(ti-par), pol(P|P) = pol(P) UT' and (pol(P)UT') enforces (pol(P)UT). Then, 
pol(P|P) U M' p = (pol(P) UT'U Mp) enforces (pol(P) U T U M p ) = (pol(P) U 
Mp) enf orces Q(l), as required. 
M l t (k) ^ good: In this case, the previous proof should be rephrased by using pol(P) 
instead of the digest T. □ 

Proof of Theorem 14.51 [Safety]: We prove a slightly more general result, that easily 

implies the claim desired. 

Let A^ be a well-formed system w.r.t. O. If Z[A/|)P] is a trustworthy site of N 
such that (pol(P) U Mp) = T, then P —> P' implies that act(cr) enforces T. 

The proof is by induction over |<r|. The base case is when a = e and it is trivial. In the 

inductive case, we consider a = aa' and P P" ^ P'. To start, it is easy to prove that 

pol(P") U {a} = pol(P) (A.l) 
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By transitivity of multiset inclusion and by the claim (jA.ll) above, (pol(P") U Mp) = T', 
where T = T'u{q!}. Thus, node l\M l \P"\ is well-formed (and trustworthy). By induction 
we therefore have that act(o"') enforces T'. Hence, act(cr) = act(<7') U {a} enforces T'U 
{q} = T, as required. 

To conclude, the original claim of Theorem 14. 51 is obtained from the result just proved 
by noticing that, because of well-formedness, T enforces B(Z). □ 
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